Update host-upgrades addon to use pharos-host-upgrades

[SpComb]

See https://github.com/kontena/pharos-host-upgrades

Currently using the quay.io/kontena/pharos-host-upgrades:edge build, pending testing and a tagged release.

The defaults run upgrades at midnight, waiting up to two hours for the kube lock, without rebooting the host.

Replaces the kured addon, which needs to be deprecated somehow... This functionality is optional, it needs reboot: true to enable it.

TODO

• Test
• Don't run upgrades at exactly midnight by default
• Use tagged pharos-host-upgrades release images
• Deprecate kured addon #420 Deprecate the kured addon
• Add arm64 support
  • Missing arm64 builds pharos-host-upgrades#24

[SpComb]

I believe this will install all available updated package from all yum repos... my understanding is that CentOS is missing the required repo metadata for things like minimal-security to work, those are only available in RHEL:

• https://www.reddit.com/r/CentOS/comments/7wrjcp/how_to_handle_security_upgrades/
• https://updateinfo.cefs.steve-meier.de/
• https://www.caseylabs.com/centos-automatic-security-updates-do-not-work/

[jakolehm]

Yes, CentOS is missing security metadata. We lock kube/docker packages with yum-lockversion which should make this a bit more safe. For RHEL we could use security or similar?

[SpComb]

Should probably still consider testing the combination of yum-lockversion and the yum-cron configuration to make sure it doesn't upgrade pinned packages.

[jakolehm]

Tested, yum-versionlock works with yum-cron.

[SpComb]

The Ubuntu:xenial origin is whitelisted in the default configuration, AFAIK that corresponds to LTS point releases (16.04.x):

// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
	"${distro_id}:${distro_codename}";
	"${distro_id}:${distro_codename}-security";
	// Extended Security Maintenance; doesn't necessarily exist for
	// every release and this system may not have it installed, but if
	// available, the policy for updates is such that unattended-upgrades
	// should also install from here by default.
	"${distro_id}ESM:${distro_codename}";
//	"${distro_id}:${distro_codename}-updates";
//	"${distro_id}:${distro_codename}-proposed";
//	"${distro_id}:${distro_codename}-backports";
};

[jakolehm]

Just a reminder that this need to be updated.

[SpComb]

This absolutely needs to have some regexp for validation, because anyone configuring this is going to be more likely to get the syntax wrong rather than right, and then be left debugging their CrashLoopBackoff pods... the feedback cycle for fixing this configuration is too long and painful otherwise.

[jakolehm]

I would prefer to merge this sooner than later.. if regexp takes time then we should open a new issue and mark it to the 1.2.0 milestone.

[SpComb]

No need, I already have something, it just needs specs to test it.

[SpComb]

Note: The --schedule-window defaults to 1h within pharos-host-upgrades itself, which might be a mistake... it should still be possible to disable it by using schedule_window: 0 - or something else that makes sense given the schedule, like schedule_window: 24h.

[SpComb]

This will now get overridden with --schedule-window=0 by default, which is IMO good behavior.

[SpComb]

Leaving #420 as a separate issue for the kured deprecation... having both kured and host-upgrades' running with reboot: true` may or may not behave badly.

[jakolehm]

Just wondering should we use valid cron schedule (we have fugit gem as a dep)?

[SpComb]

The pharos-cluster itself doesn't need to actually parse the cron string, but Fugit::Cron.parse would probably be better than a regexp... unfortunately, the github.com/robfig/cron package used by pharos-host-upgrades doesn't accept the standard five-field cron syntax, it expects an extended cron syntax with a leading seconds field... which is a bad idea IMO, it would be better if this used a standard cron syntax, we don't really need per-second granularity here.

Maybe we should change pharos-host-upgrades to accept a standard five-field cron syntax before releasing this?

[jakolehm]

I meant that we could use Fugit::Cron.parse to parse standard five-field cron and then addon could convert it to something that pharos-host-upgrades understands.

[SpComb]

I think that conversion should happen within pharos-host-upgrades.

[SpComb]

kontena/pharos-host-upgrades#30

[SpComb]

Looks like Fugit::Cron.parse also supports the alternative six-field cron syntax, which confuses things a bit now...

irb(main):003:0> Fugit::Cron.parse('0 0 0 * * *')
=> #<Fugit::Cron:0x0000000001c172c0 @original="0 0 0 * * *", @cron_s=nil, @seconds=[0], @minutes=[0], @hours=[0], @monthdays=nil, @months=nil, @weekdays=nil, @zone=nil, @timezone=nil>

[jakolehm]

Yes, CentOS is missing security metadata. We lock kube/docker packages with yum-lockversion which should make this a bit more safe. For RHEL we could use security or similar?

[SpComb]

If we wanted to make the 1.2 upgrade smoother, we could continue to accept existing addon configurations with interval, and just translate that to schedule: "@every ...".

[jakolehm]

Not sure if it's needed if the new addon complains when schedule is missing?

[SpComb]

Everyone using the existing host-upgrades addon will need to edit their cluster.yml when upgrading to 1.2. That could be avoided.

[jakolehm]

I think it's ok to edit cluster.yml in this case.

[SpComb]

Having a hard time figuring out how to get Fugit::Cron.parse to reject or normalize the extended seconds syntax without monkey-patching it...

  1) Pharos::Addons::HostUpgrades#validate schedule fails with long cron schedule
     Failure/Error: expect(result).to_not be_success
       expected `#<Dry::Validation::Result output={:enabled=>true, :schedule=>"0 0 0 * * *"} errors={}>.success?` to return false, got true
     # ./spec/pharos/addons/host_upgrades_spec.rb:49:in `block (4 levels) in <top (required)>'
     # ./spec/spec_helper.rb:121:in `block (2 levels) in <top (required)>'
     # ./spec/spec_helper.rb:111:in `block (2 levels) in <top (required)>'

[SpComb]

Hacked this in with a trivial monkeypatch to add a missing attr_reader... validating/normalizing the cron schedule was more difficult than expected this way.

[jakolehm]

We should try to push this also to the upstream.

[SpComb]

floraison/fugit#3

[SpComb]

^ this got merged and released upstream as 1.1.2, so I'll still update this PR to use that instead.

[jakolehm]

LGTM

[jakolehm]

@SpComb ok to merge?

[SpComb]

@SpComb ok to merge?

Good to go now.

[jakolehm]

@SpComb docs pr is still missing...